zfs noexec override, sort of.
--Apple-Mail-348-357081921
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Hi,
Not sure if it's a real security issue, or if it's a feature.
ZFS allows the admin to create noexec volumes, so that users won't be =
able to execute binaries sitting on these volume. But as soon as one of =
these binaries is available on a snapshot, it becomes available for the =
user to execute:
# zfs create tank/test-exec
# ls
test-exec
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
# cp /bin/ls /tank/test-exec/
# /tank/test-exec/ls
bash: /tank/test-exec/ls: Permission denied
# zfs snapshot tank/test-exec@noexec
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
tank/test-exec@noexec exec off inherited from tank/test-exec
# /tank/test-exec/.zfs/snapshot/noexec/ls
test-exec
Once the snapshot is accessed, it's mounted automatically, and gets back =
an exec=3Don property:
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
tank/test-exec@noexec exec on temporary
So it makes it very easy for a user to install and use binaries on a =
shared server where (for example) every home is a ZFS volume with daily =
snapshots.
regards,
patpro
--Apple-Mail-348-357081921--